SIGNED(7)                                                            SIGNED(7)

       signed - check a proposed escalation program against a known signature

       signed  [-P  pid]  [-C config] [-f file] [-g group] [-R root] [-u user]
       mnemonic program euid:egid cred_type:cred
       signed -h|-H
       signed -V

       This helmet is intended to force a review of new applications and their
       supporting  startup scripts.  It does this by assessing the output from
       a shell command applied to the proposed escalated program.  The command
       is  assumed  to  run  some  checksum,  hash, or other consistency check
       against the program file.  The escalation fails when any of these  com-
       mands  exit(3)s  non-zero,  or the output of a command fails to produce
       the expected output.

       By recording a hash of the file in the op(1) configuration file we  are
       trying  to detect unauthorized updates to either the application or its
       start script.  This  assumes  that  the  unauthorized  updates  do  not
       include, which would be a whole-sale subornation of our secu-
       rity model.

       This program takes all the op provided options,  but  actually  doesn't
       look  at  any  of  them (other than -P, and the program path).  It does
       sanity check them, just the same.

       Like any helmet, most of the configuration is passed from  op  via  the

              The  shell command cmd is executed with the path to the proposed
              file appended.  The output must match the  signature  text  with
              the  exception  that leading a trailing white-space on each line
              is ignored, and all internal white-space is changed to a  single

              The shell command cmd is executed with the proposed file open as
              stdin.  The output must match the signature text as above.

              The warning message to replace the common  "Sorry"  denial  mes-

              The standard reveal logic, see op-jacket(7).

       All  of  these  are deleted from each cmd's environment: $IFS, $CDPATH,
       $ENV, $BASH_ENV to prevent perl(1) from refusing to run  any  commands.
       There  is no way in this jacket to set them.  Code an adapter script to
       call the correct checksum application while  installing  the  necessary

       These are example from the command-line:

       /usr/local/libexec/jacket/signed -V
              Output only the version of the program, then exit.

       /usr/local/libexec/jacket/signed -H
              Output only a summary of the environment expected.

       All  of these are snips from the op file.  Note that you must
       allow any referenced environment variables into the escalated  environ-
       ment, and it is a really good idea to include a $PATH.

              Check  that  the program is ls, and has the same text, data, and
              bss segment sizes as it did when the admin last  looked  at  it.
              Any  patch  to the binary is quite likely to change at least one
              of these.

              What ever program is proposed must match the given CRC  checksum
              and file size.

              Just check that the file exists, via stat(2).  No other check is

       To build the output for a program, just run it with a filter that  com-
       presses  the white-space into quoted spaces for op on the end.  Here is
       an example filter:
              tr -s ' \t' ' ' |sed -e 's/^ //' -e 's/ $//' -e 's/ /$./g'
       Then copy each line into the configuration as an environment assignment
       to  the  correct  variable, separated with $. to represent line-breaks.
       See the $SIGNED_CMD_size example above.   Note  that  op  also  expands
       "$\s"  to  a space, which is a little longer to spell than "$.".  (How-
       ever $. changes meanings in the command specification, we use  it  with

       It  might  look  like  ls(1) would be an obvious choice to use, but the
       date output format changes base on elapsed  time.   So  use  that  with

       This  jacket  trusts  that the op configuration won't allow a malicious
       shell command through the environment filter.  Any  configuration  that
       calls  a  helmet  or jacket requires great care, but great power always
       comes with great responsibility.

       Sometimes a small script may be required to force options to the  check
       cmd.   It  would  be  clever  to allow some character to stand-in for a
       space, but it would also be a problem because we'd have to be  able  to
       quote  it as well.  Just code an adapter script -- you can simplify the
       output as well (to just a number or string).

       K S Braunsdorf, from the Non-Player Character Guild
       op at-not-a-spammer ksb dot

       op(1l),  op-jacket(7l),   stampctl(8l),   getpeereid(3),   hostname(1),
       size(1), cksum(1), dgst(1), md5(1)

                                     LOCAL                           SIGNED(7)